This blog is based on the events described in this article, which appeared in Times of India and a few other newspapers.
In a nutshell – the accused had managed to transfer huge amount of monies via sms / mobile banking by de-activating the SIM card of the victim and procuring the same mobile number SIM by social engineering and forging documents.
What interested me the most has not been described in the article i.e. How did the accused manage to associate mobile number with the account which had net-banking enabled.
There are two methods by way of which this fraud can be committed.
Method A:
Victim’s computer system is compromised and is infected with a key-logger and the accused have somehow managed to lay their hands on this data i.e. Mobile number , Name of the Bank, Account Number and other personal details.
Logically and the way things move around in hacking circles, only a noob would go to the extent of deactivating the original SIM and re-activating a different/new SIM on his own mobile, because, to access an internet banking account all one needs is a internet connection, IP tunneling application (to hide the IP) and a compatible browser.
Incidentally, many of banking trojans provide online alerts to their handlers when the victim is conducting a high value transaction or the account has sufficient amount.
The question which arises after analyzing this method is – Since this is an easy task (when all the keys-logged have provided the much needed information – see ZEUS), then why would the accused use a duplicate SIM. The answer lies in the second method.
Method B:
Netbanking, is a feature provided by many banks to enhance the consumer experience alongwith this, with the advent of Smartphones, mobile banking has taken its roots. Many of the Net-banking customers utilize mobile banking to suffice their banking needs.
An application is downloaded on to the mobile phone which provides access to the core banking services or SMS banking. The bank in question was SBI and here are their SMS banking features. The second bank was ICICI, their demo is here.
In order for commit a fraud or theft, it is of prime importance to have physical access to the mobile phone. Without physical access, it would be virtually impossible to access anyone’s account. Insider threat, can never be ruled out.
The victim might have lost his mobile handset / was stolen / had sent it in for repairs, on which he must have stored the login credentials – normally every human has the tendency to store the required information at a place from where it can be retrieved easily and immediately.
A PC / Laptop user will store passwords in a file on the disk and a paranoid user will encrypt it. And a mobile user will store the credentials on a mobile phone – for easy accessibility. Those who do not want to trust their disk, will end up choosing easy passwords or single password for multiple sites, which again is a security hazard – remember HB Gary’s Mr. Barr. But when it comes to mobile phones – I have seen people storing their Credit card details and other essentials on their mobile phones and only reason is that – Mobile is in my pocket and is with me always hence its more secure – that’s the attitude/thought which germinates in the minds of many mobile users.
The accused must have got their hands on this mobile phone and the rest of the modus operendi has been explained by the cyber sleuths.
Do’s and Dont’s
1: Mobile phones are prone to get lost or stolen.
2: Use a good Mobile Protection Suite – hopefully these things function the way they are supposed to.
3: When giving your mobile for repairs – be careful.
4: When throwing away your Memory card, better option would be to burn it.
5: Havent yet heard of Memory Card Encryption App for Mobile Phone, but if its available use it and also let me know.
6: If you are unable to locate your mobile phone or it has got stolen, immediately notify the banks to stop online transactions and dont use this feature for a atleast a few weeks or alternatively, use a different number.
7: At the end of day, if one does fall prey to such thefts, one should consider donating to charity, atleast they can put your hard earned monies to some good use.
Summary:
Victim’s phone was accessed physically and data was retrieved. The original SIM was then deactivated and a new SIM was procured. From the new SIM, mobile banking transaction was initiated.
4 Comments
O Kaul
Interesting- I can further add for SMS alerts for Net Banking. Option is available for Customers to activate/ deactivate SMS alerts in net banking
Since phisher has access to cust account, at the time of executing ecms, they generally deactivate SMS alerts, hence true customer may not get alert for this txn
Customers need to be cautious while giving inf over phone. Phishers generally call posing as bank staff and customers knowingly/ unknowingly part with sensitive information – God only can help in this case!!!
Public has to be alert/ smart/ vigilant- public awareness can also reduce these incidents
R Sachin
Yes. you are right.
Capatin
It’s spooky how cleevr some ppl are. Thanks!
Pingback: Google: 2 step verification | Welcome to the eScan Blog